CVE Board Meeting Minutes - 22 March 2017

CVE Board Meeting

22 March 2017, 2:00 p.m. ET

The CVE Board met via teleconference on 22 March 2017.

Board members in attendance were:

Andy Balinsky (Cisco)

Harold Booth (NIST)

Kent Landfield (Intel)

Art Manion (CERT/CC)

Kurt Seifried (Red Hat/DWF)

Taki Uchiyama (JPCERT/CC)

David Waltermire (NIST)

Members of the MITRE CVE Team who attended the call are as follows:

Dan Adinolfi

Jon Baker

Chris Coffin

Jonathan Evans

Matt Hansbury

George Theall

Agenda

CVE Board Meeting 22 March 2017

Agenda

2:00 – 2:05: Introductions, action items from the last meeting – Chris Coffin

2:05 – 2:25: Working Groups

            Strategic Planning - Kent Landfield

                        Issues

                        Actions

                        Board Decisions

            Automation - Harold Booth/Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

2:25 – 2:50: CNA Update

            DWF – Kurt Seifried

                        Issues

                        Actions

                        Board Decisions

            General - Dan Adinolfi

                        Issues

                        Actions

                        Board Decisions

2:50 – 3:10: Timeframe for Updating Upstream CNAs - Dan Adinolfi

3:10 – 3:30: CNA Report Card Template - Dan Adinolfi

3:30 – 3:55: Open discussion – CVE Board

3:55 – 4:00: Action items, wrap-up – Chris Coffin

Introductions and review of previous action items

• A new regular time for the Strategic Planning Working Group was scheduled.
• The GitHub branch containing CNA documentation to be developed was shared with the Board.
• A summary of observations from the RSA Conference will be sent to the Board.
• Use cases for including services in the CVE list are still being developed by the Board.

Working Groups

• Strategic Planning - Kent Landfield
  • Issues
    • There were no updates from the Strategic Planning Working Group.
  • Actions
    • The next Strategic Planning WG meeting will be April 6, 2017 at 2PM ET. Future meetings will be held the Thursday after the first Board meeting each month.
  • Board Decisions
    • There was no additional Board Discussion.
• Automation - Harold Booth
  • Issues
    • The WG is still considering how to allow for bi-directional data flow of CVE Data between CNAs.
    • The WG is considering supporting the developing CVSS JSON spec.
    • There is a need to include assigner information in the minimum JSON specification, though this is not something that should stop the JSON format from moving forward.
  • Actions
    • The WG has accepted the current minimum specification draft of the JSON format, and recent changes have been included in the latest revision. MITRE asked the Board for their approval of MITRE accepting submissions using this new format. That discussion will continue on the Board mailing list.
  • Board Decisions

CNA Update

• DWF – Kurt Seifried
  • Issues
    • The Mentor program within the DWF currently has three Mentors. Training and reference documentation is being developed. 
  • Actions
    • DWF and the Board should consider allowing Mentors to update the CVE ID list if they come across CVE IDs being used publicly but are still listed as “RESERVED” in the CVE ID list.
  • Board Decisions
    • There was no additional Board Discussion.
• General - Dan Adinolfi
  • Issues
    • The Board had suggested that CVE should begin working with the Chinese government as soon as possible to avoid any political complications of introducing CVE into the Chinese market. MITRE is still looking to make that contact.
  • Actions
    • MITRE met with Flexera Software, who has been on-boarded as a CNA.
    • MITRE continues to work with JPCERT/CC to organize a CNA training session on May 23-24 in Tokyo.
  • Board Decisions
    • There was no additional Board Discussion.

CNA Report Card – Dan Adinolfi

MITRE presented a draft template for the quarterly CNA Report Card to the Board. The Board accepted the current template and plans to update and revise it over time. MITRE will provide the metrics for the first quarter 2017 at the next Board meeting.

The Board suggested that to create a more transparent environment, a public issue tracker would be useful. Through such a thing, individuals with questions or comments on CVE ID assignments would be able to post those and have the details directed to the appropriate CNA. Also, the Board reiterated that there should be an easy way to link individual CVE IDs to the CNAs that assigned them. Finally, the Board suggested that including meta-information about CVE IDs and CNAs within CVE entries themselves may help automate and crowdsource the requirement for accurate metrics. These three suggestions will be discussed more fully in the future.

Timeframe for Updating Upstream CNAs – Chris Coffin

The current CNA rules do not stipulate a specific time by which a CNA should update their upstream CNA after a CVE ID has been made public. MITRE asked the Board for guidance on the most time a CNA can wait. The Board suggested that CNAs should update their upstream CNAs within 24 hours of the publication of a CVE ID. This recommendation will be added to the list of updates to be considered for the next CNA Rules update.

Additionally, CVE IDs that have been reserved for long periods of time without any public assignment could be “REJECT”ed or labeled in some other way to indicate they are inactive in the CVE list. This idea will also be considered further.

Open Discussion - Dan Adinolfi

The Board was directed to the GitHub branch of the CVE repository that has placeholders and early drafts for CNA documentation. The first document to be taken on by the Board, a CVE 101 white paper, will be shared with the Board and developed in the two-week timeframe that was previously discussed.

The Board was reminded that CVE now has two Twitter accounts (@CVEannounce and @CVEnew) and a LinkedIn page. As of the Board meeting, @CVEannounce had approximately 40 followers, @CVEnew had approximately 500 followers, and the LinkedIn page had approximately 80 followers.

The Board suggested that it should begin planning on another face-to-face meeting of the Board and CNAs.

MITRE will be attending a few conferences in the next few months to raise awareness of the CVE and CNA programs, to encourage participation, and to solicit feedback from stakeholders. The Board suggested that MITRE share their travel plans where they cannot go to give the Board an idea of where they could go out to raise awareness themselves.

The Board discussed whether it should be an accepted practice for a CNA to assign CVE IDs to issues that will never be made public. Most of the Board felt this was not acceptable, but additional debate will be had on this topic.

Action items, wrap-up – Chris Coffin

• The CNA Report Card for the first quarter of this calendar year will be provided to the Board by the next Board meeting.
• The first document to be developed for the new CNA documentation will be shared.
• A summary of observations from the RSA Conference will be sent to the Board.
• Use cases for including services in the CVE list are still being developed by the Board.